Yeah, I'm pretty sure I had JTR configured properly...Though, I admit I really don't know how to use it properly...I just ran it against the hash file that made, in the same style that it worked for the mission...I even retried C&A on the hash that I made and it said something about taking years...easiest way to get me to fuck off about something is tell me it will take more than a few hours lol.

Come on, that's not the point of these challenges. If you want to be spoiled buy a puzzle-book or similar and look at the answers before doing them. Also: don't be so negative, 'for who suck' isn't friendly or constructive if you do suck.

I have been going insane over this and as it turns out, I was doing exactly what I needed to do. I opened the same link (the one with the broken image) in Firefox and in Chrome. I had been working in Firefox the entire time and no broken image was shown, unlike in Chrome. I looked at the source code in both browsers and they generated different outputs. Does anyone know what might have caused this? So a hint to people who are stuck at finding the correct directory: perhaps switching browser will help.

EDIT: I didn't manage to crack the hash with MDCrack because it doesn't automatically recognize what kind of hash it is, so instead I used JtR. Can somebody explain how to distinguish between different hash types?

my favorite realistic mission so far! it felt sooooo l337 doing my thing with JTR (after i spent about 10 minutes figuring out how to work it of course! )...now if i could just figure out 4 and 6 lolpeace and blessings

I've been playing with this for 2 days now. I found out so far that this was an MD* ...x type hash with both the salt and the hash value hashed together.My queswtions:It has a salt which should prevent me from any attacks (BF, dict, rainbow), and the crypt algorithm is very slow, so does it make sense at all to play with a cracker program?If yes, What program should I use? I do have PasswordPro but it coulnd't solve it. Maybe any tips for restrictions to use, like dictionary, rules etc? (I have read that rainbow tables won't work with these...)Thanks!

-- Tue Nov 27, 2012 6:13 pm --

[quote="UsernameHerpDerp"]OK, I have several problems with this mission.Secondly - Why the shit would the .htpasswd file have a password encrypted in some bullshit hash? .htpasswd files are in the format username:password, where the password is A 13-CHARACTER crypt() ENCRYPTION OF THE FIRST 8 LETTERS OF THE USER-ENTERED PASSWORD. That is the standard, and that is what .htaccess uses. Maybe I'm being obtuse here; maybe there is some way to change the encryption algorithm from crypt() to some custom hashing algorithm. But if the web designer was stupid enough to put the .htaccess file in the same directory that he was blocking off, I really doubt he would be cautious enough to change the encryption on the password, and even if he was, he sure as hell wouldn't change it to something that can be cracked with a simple rainbow table, he would salt it appropriately etc.

-From the Apache site, about switches: "-m: Use MD5 encryption for passwords. This is the default."-As for the ridiculous security leak.. what if they put it in restricted URI? The mission would not be harder but IMPOSSIBLE IMHO this mission is cool anyway. If it was only for a weak encryption it would be boring. I also liked the part of finding out the hash format. And I'm not finished yet

I think you may be overthinking this. start with what you know. you have obviously found the info that you are going to have to tinker with. so now you know the username for sure and you have the "Hash" for the rest of the required information. So in general what is the best way to crack a hash that you can think of?

HINT: look really close at recent posts....

There are 10 types of people in the world. Those who understand binary and those who don't.